The Gootkit malware framework, which has been recognized for distributing banking Trojans, has recently undergone significant enhancements that enable it to deliver a broader spectrum of malicious software, including ransomware variants.
According to researchers from Sophos, Gabor Szappanos and Andrew Brandt, the Gootkit malware family has been in existence for over five years, focusing heavily on stealing banking credentials. Their recent analysis highlights that advancements in the delivery methods have been almost equal in priority to improvements in the underlying NodeJS-based malware architecture.
Rebranded as “Gootloader,” this enhanced distribution mechanism has coincided with a surge in infection rates affecting users in countries such as France, Germany, South Korea, and the United States.
Initially documented in 2014, Gootkit operates on a JavaScript-based platform capable of executing various covert activities, such as keystroke logging, web injections, screen captures, video recordings, and theft of sensitive credentials.
This malware has progressively evolved, gaining the ability to work in tandem with ransomware strains such as REvil/Sodinokibi, as revealed in past exploits. While traditional social engineering tactics are commonly used for delivering malware, Gootloader has advanced this approach by employing sophisticated methods.
The infection process incorporates complex strategies, including the hosting of malicious ZIP files on legitimate websites that have been manipulated to appear prominently in search results through improved search engine optimization techniques.
The malicious search results often lead users to seemingly unrelated sites, indicating a likely expansive network of compromised webpages controlled by the attackers. For instance, researchers discovered a real estate agreement search leading to a breached healthcare facility in Canada.
To optimize regional targeting, adversaries manipulate website coding in real-time, displaying benign content to users from unauthorized locations while serving tailored malicious content to users within designated geographic boundaries. This refined approach ensures that targeted individuals are funneled into the infection chain effectively.
Users who interact with compromised search results are redirected to a faux message board that matches their initial queries and provides a link to ZIP files. These ZIP files contain heavily obfuscated JavaScript, which executes additional malicious payloads by fetching fileless malware from remote servers.
This operational model follows a multi-stage evasive strategy, beginning with a .NET loader that includes an encrypted Delphi-based malware, which ultimately leads to the final payload implementation.
Current data indicates that besides the Gootkit Trojan and REvil ransomware, various campaigns are now utilizing the Gootloader framework to stealthily deliver Kronos financial malware in Germany and the Cobalt Strike exploitation tool in the U.S. While specific methods of website infiltration remain somewhat ambiguous, it is speculated that attackers may acquire access through either earlier Gootkit infections or by purchasing compromised credentials from illicit marketplaces. They could also exploit existing vulnerabilities in CMS plugins used by websites.
Microsoft has corroborated these findings through tweets, revealing an uptick in hands-on-keyboard attacks originating from Gootkit, distributed via drive-by downloads encapsulated within ZIP file JavaScript.
According to Gabor Szappanos, threat research director at Sophos, “The developers behind Gootkit have increasingly focused on creating a stealthy and multifaceted delivery platform for various payloads, including REvil ransomware.” This shift underscores a broader trend in cybercrime, where adversaries prefer repurposing established delivery methods rather than devising entirely new techniques. Gootloader’s complex evasive tactics highlight a deliberate effort to mask the ultimate objectives of the attacks.
